datadog 2.9.0 → 2.10.0

data/lib/datadog/appsec/context.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require_relative 'metrics'
+
 module Datadog
   module AppSec
     # This class accumulates the context over the request life-cycle and exposes
@@ -7,10 +9,7 @@ module Datadog
     class Context
       ActiveContextError = Class.new(StandardError)
 
-      attr_reader :trace, :span
-
-      # NOTE: This is an intermediate state and will be changed
-      attr_reader :waf_runner
+      attr_reader :trace, :span, :events
 
       class << self
         def activate(context)
@@ -34,16 +33,37 @@ module Datadog
       def initialize(trace, span, security_engine)
         @trace = trace
         @span = span
+        @events = []
         @security_engine = security_engine
-        @waf_runner = security_engine.new_context
+        @waf_runner = security_engine.new_runner
+        @metrics = Metrics::Collector.new
       end
 
       def run_waf(persistent_data, ephemeral_data, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
-        @waf_runner.run(persistent_data, ephemeral_data, timeout)
+        result = @waf_runner.run(persistent_data, ephemeral_data, timeout)
+
+        @metrics.record_waf(result)
+        result
+      end
+
+      def run_rasp(type, persistent_data, ephemeral_data, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
+        result = @waf_runner.run(persistent_data, ephemeral_data, timeout)
+
+        Metrics::Telemetry.report_rasp(type, result)
+        @metrics.record_rasp(result)
+
+        result
       end
 
-      def run_rasp(_type, persistent_data, ephemeral_data, timeout = WAF::LibDDWAF::DDWAF_RUN_TIMEOUT)
-        @waf_runner.run(persistent_data, ephemeral_data, timeout)
+      def extract_schema
+        @waf_runner.run({ 'waf.context.processor' => { 'extract-schema' => true } }, {})
+      end
+
+      def export_metrics
+        return if @span.nil?
+
+        Metrics::Exporter.export_waf_metrics(@metrics.waf, @span)
+        Metrics::Exporter.export_rasp_metrics(@metrics.rasp, @span)
       end
 
       def finalize

data/lib/datadog/appsec/contrib/active_record/instrumentation.rb

@@ -9,6 +9,8 @@ module Datadog
           module_function
 
           def detect_sql_injection(sql, adapter_name)
+            return unless AppSec.rasp_enabled?
+
             context = AppSec.active_context
             return unless context
 
@@ -25,7 +27,7 @@ module Datadog
             waf_timeout = Datadog.configuration.appsec.waf_timeout
             result = context.run_rasp(Ext::RASP_SQLI, {}, ephemeral_data, waf_timeout)
 
-            if result.status == :match
+            if result.match?
               Datadog::AppSec::Event.tag_and_keep!(context, result)
 
               event = {
@@ -35,7 +37,9 @@ module Datadog
                 sql: sql,
                 actions: result.actions
               }
-              context.waf_runner.events << event
+              context.events << event
+
+              ActionsHandler.handle(result.actions)
             end
           end
 

data/lib/datadog/appsec/contrib/graphql/appsec_trace.rb

@@ -16,16 +16,10 @@ module Datadog
 
             gateway_multiplex = Gateway::Multiplex.new(multiplex)
 
-            multiplex_return, multiplex_response = Instrumentation.gateway.push('graphql.multiplex', gateway_multiplex) do
+            multiplex_return, _gateway_multiplex = Instrumentation.gateway.push('graphql.multiplex', gateway_multiplex) do
               super
             end
 
-            # Returns an error * the number of queries so that the entire multiplex is blocked
-            if multiplex_response
-              blocked_event = multiplex_response.find { |action, _options| action == :block }
-              multiplex_return = AppSec::Response.graphql_response(gateway_multiplex) if blocked_event
-            end
-
             multiplex_return
           end
         end

data/lib/datadog/appsec/contrib/graphql/gateway/watcher.rb

@@ -22,7 +22,6 @@ module Datadog
               # This time we don't throw but use next
               def watch_multiplex(gateway = Instrumentation.gateway)
                 gateway.watch('graphql.multiplex', :appsec) do |stack, gateway_multiplex|
-                  block = false
                   event = nil
                   context = AppSec::Context.active
                   engine = AppSec::Reactive::Engine.new
@@ -38,14 +37,14 @@ module Datadog
                       }
 
                       Datadog::AppSec::Event.tag_and_keep!(context, result)
-                      context.waf_runner.events << event
+                      context.events << event
+
+                      Datadog::AppSec::ActionsHandler.handle(result.actions)
                     end
 
-                    block = GraphQL::Reactive::Multiplex.publish(engine, gateway_multiplex)
+                    GraphQL::Reactive::Multiplex.publish(engine, gateway_multiplex)
                   end
 
-                  next [nil, [[:block, event]]] if block
-
                   stack.call(gateway_multiplex.arguments)
                 end
               end

data/lib/datadog/appsec/contrib/graphql/reactive/multiplex.rb

@@ -32,7 +32,7 @@ module Datadog
                 waf_timeout = Datadog.configuration.appsec.waf_timeout
                 result = context.run_waf(persistent_data, {}, waf_timeout)
 
-                next if result.status != :match
+                next unless result.match?
 
                 yield result
                 throw(:block, true) unless result.actions.empty?

data/lib/datadog/appsec/contrib/rack/gateway/watcher.rb

@@ -30,7 +30,7 @@ module Datadog
                   engine = AppSec::Reactive::Engine.new
 
                   Rack::Reactive::Request.subscribe(engine, context) do |result|
-                    if result.status == :match
+                    if result.match?
                       # TODO: should this hash be an Event instance instead?
                       event = {
                         waf_result: result,
@@ -43,12 +43,13 @@ module Datadog
                       # We want to keep the trace in case of security event
                       context.trace.keep! if context.trace
                       Datadog::AppSec::Event.tag_and_keep!(context, result)
-                      context.waf_runner.events << event
+                      context.events << event
+
+                      Datadog::AppSec::ActionsHandler.handle(result.actions)
                     end
                   end
 
-                  block = Rack::Reactive::Request.publish(engine, gateway_request)
-                  throw(Datadog::AppSec::Ext::INTERRUPT, event[:actions]) if block
+                  Rack::Reactive::Request.publish(engine, gateway_request)
 
                   stack.call(gateway_request.request)
                 end
@@ -61,7 +62,7 @@ module Datadog
                   engine = AppSec::Reactive::Engine.new
 
                   Rack::Reactive::Response.subscribe(engine, context) do |result|
-                    if result.status == :match
+                    if result.match?
                       # TODO: should this hash be an Event instance instead?
                       event = {
                         waf_result: result,
@@ -74,12 +75,13 @@ module Datadog
                       # We want to keep the trace in case of security event
                       context.trace.keep! if context.trace
                       Datadog::AppSec::Event.tag_and_keep!(context, result)
-                      context.waf_runner.events << event
+                      context.events << event
+
+                      Datadog::AppSec::ActionsHandler.handle(result.actions)
                     end
                   end
 
-                  block = Rack::Reactive::Response.publish(engine, gateway_response)
-                  throw(Datadog::AppSec::Ext::INTERRUPT, event[:actions]) if block
+                  Rack::Reactive::Response.publish(engine, gateway_response)
 
                   stack.call(gateway_response.response)
                 end
@@ -92,7 +94,7 @@ module Datadog
                   engine = AppSec::Reactive::Engine.new
 
                   Rack::Reactive::RequestBody.subscribe(engine, context) do |result|
-                    if result.status == :match
+                    if result.match?
                       # TODO: should this hash be an Event instance instead?
                       event = {
                         waf_result: result,
@@ -105,12 +107,13 @@ module Datadog
                       # We want to keep the trace in case of security event
                       context.trace.keep! if context.trace
                       Datadog::AppSec::Event.tag_and_keep!(context, result)
-                      context.waf_runner.events << event
+                      context.events << event
+
+                      Datadog::AppSec::ActionsHandler.handle(result.actions)
                     end
                   end
 
-                  block = Rack::Reactive::RequestBody.publish(engine, gateway_request)
-                  throw(Datadog::AppSec::Ext::INTERRUPT, event[:actions]) if block
+                  Rack::Reactive::RequestBody.publish(engine, gateway_request)
 
                   stack.call(gateway_request.request)
                 end

data/lib/datadog/appsec/contrib/rack/reactive/request.rb

@@ -55,7 +55,7 @@ module Datadog
                 waf_timeout = Datadog.configuration.appsec.waf_timeout
                 result = context.run_waf(persistent_data, {}, waf_timeout)
 
-                next if result.status != :match
+                next unless result.match?
 
                 yield result
                 throw(:block, true) unless result.actions.empty?

data/lib/datadog/appsec/contrib/rack/reactive/request_body.rb

@@ -33,7 +33,7 @@ module Datadog
                 waf_timeout = Datadog.configuration.appsec.waf_timeout
                 result = context.run_waf(persistent_data, {}, waf_timeout)
 
-                next if result.status != :match
+                next unless result.match?
 
                 yield result
                 throw(:block, true) unless result.actions.empty?

data/lib/datadog/appsec/contrib/rack/reactive/response.rb

@@ -39,7 +39,7 @@ module Datadog
                 waf_timeout = Datadog.configuration.appsec.waf_timeout
                 result = context.run_waf(persistent_data, {}, waf_timeout)
 
-                next if result.status != :match
+                next unless result.match?
 
                 yield result
                 throw(:block, true) unless result.actions.empty?

data/lib/datadog/appsec/contrib/rack/request_body_middleware.rb

@@ -24,15 +24,15 @@ module Datadog
             # TODO: handle exceptions, except for @app.call
 
             http_response = nil
-            block_actions = catch(::Datadog::AppSec::Ext::INTERRUPT) do
-              http_response, = Instrumentation.gateway.push('rack.request.body', Gateway::Request.new(env)) do
+            interrupt_params = catch(::Datadog::AppSec::Ext::INTERRUPT) do
+              http_response, _request = Instrumentation.gateway.push('rack.request.body', Gateway::Request.new(env)) do
                 @app.call(env)
               end
 
               nil
             end
 
-            return AppSec::Response.negotiate(env, block_actions).to_rack if block_actions
+            return AppSec::Response.from_interrupt_params(interrupt_params, env['HTTP_ACCEPT']).to_rack if interrupt_params
 
             http_response
           end

data/lib/datadog/appsec/contrib/rack/request_middleware.rb

@@ -76,8 +76,8 @@ module Datadog
             gateway_request = Gateway::Request.new(env)
             gateway_response = nil
 
-            block_actions = catch(::Datadog::AppSec::Ext::INTERRUPT) do
-              http_response, = Instrumentation.gateway.push('rack.request', gateway_request) do
+            interrupt_params = catch(::Datadog::AppSec::Ext::INTERRUPT) do
+              http_response, _gateway_request = Instrumentation.gateway.push('rack.request', gateway_request) do
                 @app.call(env)
               end
 
@@ -90,27 +90,29 @@ module Datadog
               nil
             end
 
-            http_response = AppSec::Response.negotiate(env, block_actions).to_rack if block_actions
+            if interrupt_params
+              http_response = AppSec::Response.from_interrupt_params(interrupt_params, env['HTTP_ACCEPT']).to_rack
+            end
 
-            if (result = ctx.waf_runner.extract_schema)
-              ctx.waf_runner.events << {
+            if AppSec.api_security_enabled?
+              ctx.events << {
                 trace: ctx.trace,
                 span: ctx.span,
-                waf_result: result,
+                waf_result: ctx.extract_schema,
               }
             end
 
-            ctx.waf_runner.events.each do |e|
+            ctx.events.each do |e|
               e[:response] ||= gateway_response
               e[:request]  ||= gateway_request
             end
 
-            AppSec::Event.record(ctx.span, *ctx.waf_runner.events)
+            AppSec::Event.record(ctx.span, *ctx.events)
 
             http_response
           ensure
             if ctx
-              add_waf_runtime_tags(ctx)
+              ctx.export_metrics
               Datadog::AppSec::Context.deactivate
             end
           end
@@ -198,19 +200,6 @@ module Datadog
             end
           end
 
-          def add_waf_runtime_tags(context)
-            span = context.span
-            context = context.waf_runner
-
-            return unless span && context
-
-            span.set_tag('_dd.appsec.waf.timeouts', context.timeouts)
-
-            # these tags expect time in us
-            span.set_tag('_dd.appsec.waf.duration', context.time_ns / 1000.0)
-            span.set_tag('_dd.appsec.waf.duration_ext', context.time_ext_ns / 1000.0)
-          end
-
           def to_rack_header(header)
             @rack_headers[header] ||= Datadog::Tracing::Contrib::Rack::Header.to_rack_header(header)
           end

data/lib/datadog/appsec/contrib/rails/gateway/watcher.rb

@@ -26,7 +26,7 @@ module Datadog
                   engine = AppSec::Reactive::Engine.new
 
                   Rails::Reactive::Action.subscribe(engine, context) do |result|
-                    if result.status == :match
+                    if result.match?
                       # TODO: should this hash be an Event instance instead?
                       event = {
                         waf_result: result,
@@ -39,12 +39,13 @@ module Datadog
                       # We want to keep the trace in case of security event
                       context.trace.keep! if context.trace
                       Datadog::AppSec::Event.tag_and_keep!(context, result)
-                      context.waf_runner.events << event
+                      context.events << event
+
+                      Datadog::AppSec::ActionsHandler.handle(result.actions)
                     end
                   end
 
-                  block = Rails::Reactive::Action.publish(engine, gateway_request)
-                  next [nil, [[:block, event]]] if block
+                  Rails::Reactive::Action.publish(engine, gateway_request)
 
                   stack.call(gateway_request.request)
                 end

data/lib/datadog/appsec/contrib/rails/patcher.rb

@@ -80,22 +80,12 @@ module Datadog
               # TODO: handle exceptions, except for super
 
               gateway_request = Gateway::Request.new(request)
-              request_return, request_response = Instrumentation.gateway.push('rails.request.action', gateway_request) do
-                super
-              end
 
-              if request_response
-                blocked_event = request_response.find { |action, _options| action == :block }
-                if blocked_event
-                  @_response = AppSec::Response.negotiate(
-                    env,
-                    blocked_event.last[:actions]
-                  ).to_action_dispatch_response
-                  request_return = @_response.body
-                end
+              http_response, _gateway_request = Instrumentation.gateway.push('rails.request.action', gateway_request) do
+                super
               end
 
-              request_return
+              http_response
             end
           end
 

data/lib/datadog/appsec/contrib/rails/reactive/action.rb

@@ -39,7 +39,7 @@ module Datadog
                 waf_timeout = Datadog.configuration.appsec.waf_timeout
                 result = context.run_waf(persistent_data, {}, waf_timeout)
 
-                next if result.status != :match
+                next unless result.match?
 
                 yield result
                 throw(:block, true) unless result.actions.empty?

data/lib/datadog/appsec/contrib/sinatra/gateway/watcher.rb

@@ -28,7 +28,7 @@ module Datadog
                   engine = AppSec::Reactive::Engine.new
 
                   Rack::Reactive::RequestBody.subscribe(engine, context) do |result|
-                    if result.status == :match
+                    if result.match?
                       # TODO: should this hash be an Event instance instead?
                       event = {
                         waf_result: result,
@@ -41,12 +41,13 @@ module Datadog
                       # We want to keep the trace in case of security event
                       context.trace.keep! if context.trace
                       Datadog::AppSec::Event.tag_and_keep!(context, result)
-                      context.waf_runner.events << event
+                      context.events << event
+
+                      Datadog::AppSec::ActionsHandler.handle(result.actions)
                     end
                   end
 
-                  block = Rack::Reactive::RequestBody.publish(engine, gateway_request)
-                  next [nil, [[:block, event]]] if block
+                  Rack::Reactive::RequestBody.publish(engine, gateway_request)
 
                   stack.call(gateway_request.request)
                 end
@@ -59,7 +60,7 @@ module Datadog
                   engine = AppSec::Reactive::Engine.new
 
                   Sinatra::Reactive::Routed.subscribe(engine, context) do |result|
-                    if result.status == :match
+                    if result.match?
                       # TODO: should this hash be an Event instance instead?
                       event = {
                         waf_result: result,
@@ -72,12 +73,13 @@ module Datadog
                       # We want to keep the trace in case of security event
                       context.trace.keep! if context.trace
                       Datadog::AppSec::Event.tag_and_keep!(context, result)
-                      context.waf_runner.events << event
+                      context.events << event
+
+                      Datadog::AppSec::ActionsHandler.handle(result.actions)
                     end
                   end
 
-                  block = Sinatra::Reactive::Routed.publish(engine, [gateway_request, gateway_route_params])
-                  next [nil, [[:block, event]]] if block
+                  Sinatra::Reactive::Routed.publish(engine, [gateway_request, gateway_route_params])
 
                   stack.call(gateway_request.request)
                 end

data/lib/datadog/appsec/contrib/sinatra/patcher.rb

@@ -6,7 +6,6 @@ require_relative '../patcher'
 require_relative '../../response'
 require_relative '../rack/request_middleware'
 require_relative 'framework'
-require_relative 'ext'
 require_relative 'gateway/watcher'
 require_relative 'gateway/route_params'
 require_relative 'gateway/request'
@@ -62,17 +61,8 @@ module Datadog
 
             gateway_request = Gateway::Request.new(env)
 
-            request_return, request_response = Instrumentation.gateway.push('sinatra.request.dispatch', gateway_request) do
-              # handle process_route interruption
-              catch(Datadog::AppSec::Contrib::Sinatra::Ext::ROUTE_INTERRUPT) { super }
-            end
-
-            if request_response
-              blocked_event = request_response.find { |action, _options| action == :block }
-              if blocked_event
-                self.response = AppSec::Response.negotiate(env, blocked_event.last[:actions]).to_sinatra_response
-                request_return = nil
-              end
+            request_return, _gateway_request = Instrumentation.gateway.push('sinatra.request.dispatch', gateway_request) do
+              super
             end
 
             request_return
@@ -103,20 +93,7 @@ module Datadog
               gateway_request = Gateway::Request.new(env)
               gateway_route_params = Gateway::RouteParams.new(route_params)
 
-              _, request_response = Instrumentation.gateway.push(
-                'sinatra.request.routed',
-                [gateway_request, gateway_route_params]
-              )
-
-              if request_response
-                blocked_event = request_response.find { |action, _options| action == :block }
-                if blocked_event
-                  self.response = AppSec::Response.negotiate(env, blocked_event.last[:actions]).to_sinatra_response
-
-                  # interrupt request and return response to dispatch! for consistency
-                  throw(Datadog::AppSec::Contrib::Sinatra::Ext::ROUTE_INTERRUPT, response)
-                end
-              end
+              Instrumentation.gateway.push('sinatra.request.routed', [gateway_request, gateway_route_params])
 
               yield(*args)
             end

data/lib/datadog/appsec/contrib/sinatra/reactive/routed.rb

@@ -34,7 +34,7 @@ module Datadog
                 waf_timeout = Datadog.configuration.appsec.waf_timeout
                 result = context.run_waf(persistent_data, {}, waf_timeout)
 
-                next if result.status != :match
+                next unless result.match?
 
                 yield result
                 throw(:block, true) unless result.actions.empty?

data/lib/datadog/appsec/ext.rb

@@ -3,7 +3,10 @@
 module Datadog
   module AppSec
     module Ext
-      RASP_SQLI = :sql_injection
+      RASP_SQLI = 'sql_injection'
+      RASP_LFI = 'lfi'
+      RASP_SSRF = 'ssrf'
+
       INTERRUPT = :datadog_appsec_interrupt
       CONTEXT_KEY = 'datadog.appsec.context'
       ACTIVE_CONTEXT_KEY = :datadog_appsec_active_context
@@ -11,6 +14,8 @@ module Datadog
       TAG_APPSEC_ENABLED = '_dd.appsec.enabled'
       TAG_APM_ENABLED = '_dd.apm.enabled'
       TAG_DISTRIBUTED_APPSEC_EVENT = '_dd.p.appsec'
+
+      TELEMETRY_METRICS_NAMESPACE = 'appsec'
     end
   end
 end

data/lib/datadog/appsec/metrics/collector.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module Metrics
+      # A class responsible for collecting WAF and RASP call metrics.
+      class Collector
+        Store = Struct.new(:evals, :timeouts, :duration_ns, :duration_ext_ns, keyword_init: true)
+
+        attr_reader :waf, :rasp
+
+        def initialize
+          @mutex = Mutex.new
+          @waf = Store.new(evals: 0, timeouts: 0, duration_ns: 0, duration_ext_ns: 0)
+          @rasp = Store.new(evals: 0, timeouts: 0, duration_ns: 0, duration_ext_ns: 0)
+        end
+
+        def record_waf(result)
+          @mutex.synchronize do
+            @waf.evals += 1
+            @waf.timeouts += 1 if result.timeout?
+            @waf.duration_ns += result.duration_ns
+            @waf.duration_ext_ns += result.duration_ext_ns
+          end
+        end
+
+        def record_rasp(result)
+          @mutex.synchronize do
+            @rasp.evals += 1
+            @rasp.timeouts += 1 if result.timeout?
+            @rasp.duration_ns += result.duration_ns
+            @rasp.duration_ext_ns += result.duration_ext_ns
+          end
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/metrics/exporter.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module Metrics
+      # A class responsible for exporting WAF and RASP call metrics.
+      module Exporter
+        module_function
+
+        def export_waf_metrics(metrics, span)
+          return if metrics.evals.zero?
+
+          span.set_tag('_dd.appsec.waf.timeouts', metrics.timeouts)
+          span.set_tag('_dd.appsec.waf.duration', convert_ns_to_us(metrics.duration_ns))
+          span.set_tag('_dd.appsec.waf.duration_ext', convert_ns_to_us(metrics.duration_ext_ns))
+        end
+
+        def export_rasp_metrics(metrics, span)
+          return if metrics.evals.zero?
+
+          span.set_tag('_dd.appsec.rasp.rule.eval', metrics.evals)
+          span.set_tag('_dd.appsec.rasp.timeout', 1) unless metrics.timeouts.zero?
+          span.set_tag('_dd.appsec.rasp.duration', convert_ns_to_us(metrics.duration_ns))
+          span.set_tag('_dd.appsec.rasp.duration_ext', convert_ns_to_us(metrics.duration_ext_ns))
+        end
+
+        # private
+
+        def convert_ns_to_us(value)
+          value / 1000.0
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/metrics/telemetry.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    module Metrics
+      # A class responsible for reporting WAF and RASP telemetry metrics.
+      module Telemetry
+        module_function
+
+        def report_rasp(type, result)
+          return if result.is_a?(SecurityEngine::Result::Error)
+
+          tags = { rule_type: type, waf_version: Datadog::AppSec::WAF::VERSION::BASE_STRING }
+          namespace = Ext::TELEMETRY_METRICS_NAMESPACE
+
+          AppSec.telemetry.inc(namespace, 'rasp.rule.eval', 1, tags: tags)
+          AppSec.telemetry.inc(namespace, 'rasp.rule.match', 1, tags: tags) if result.match?
+          AppSec.telemetry.inc(namespace, 'rasp.timeout', 1, tags: tags) if result.timeout?
+        end
+      end
+    end
+  end
+end

data/lib/datadog/appsec/metrics.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Datadog
+  module AppSec
+    # This namespace contains classes related to metrics collection and exportation.
+    module Metrics
+    end
+  end
+end
+
+require_relative 'metrics/collector'
+require_relative 'metrics/exporter'
+require_relative 'metrics/telemetry'